pfsense

5 Articles

Going To Extremes To Block YouTube Ads

August 26, 2023 by 103 Comments

Many users of YouTube feel that the quality of the service has been decreasing in recent years — the platform offers up bizarre recommendations, fails to provide relevant search results, and continues to shove an increasing amount of ads into the videos themselves. For shareholders of Google’s parent company, though, this is a feature and not a bug; and since shareholder opinion is valued much more highly than user opinion, the user experience will likely continue to decline. But if you’re willing to put a bit of effort in you can stop a large chunk of YouTube ads from making it to your own computers and smartphones.

[Eric] is setting up this adblocking system on his entire network, so running something like Pi-hole on a single-board computer wouldn’t have the performance needed. Instead, he’s installing the pfSense router software on a mini PC. To start, [Eric] sets up a pretty effective generic adblocker in pfSense to replace his Pi-hole, which does an excellent job, but YouTube is a different beast when it comes to serving ads especially on Android and iOS apps. One initial attempt to at least reduce ads was to subtly send YouTube traffic through a VPN to a country with fewer ads, in this case Italy, but this solution didn’t pan out long-term.

A few other false starts later, all of which are documented in detail by [Eric] for those following along, and eventually he settled on a solution which is effectively a man-in-the-middle attack between any device on his network and the Google ad servers. His router is still not powerful enough to decode this information on the fly but his trick to get around that is to effectively corrupt the incoming advertising data with a few bad bytes so they aren’t able to be displayed on any devices on the network. It’s an effective and unique solution, and one that Google hopefully won’t be able to patch anytime soon. There are some other ways to improve the miserable stock YouTube experience that we have seen as well, like bringing back the dislike button.

Thanks to [Jack] for the tip!

This Week In Security: Updraft, Termux, And Magento

February 25, 2022 by 7 Comments

One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, that contain a potentially important fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged-in WordPress user. This bug was found by the guys at Jetpack, who have a nice write-up on it. It’s a combination of instances of a common problem — endpoints that lacked proper authentication. The heartbeat function allows any user to access it, and it returns the latest backup nonce.

A cryptographic nonce is a value that’s not exactly a cryptographic secret, but is only used once. In some cases, this is to mitigate replay attacks, or is used as an initialization vector. In the case of UpdraftPlus, the nonce works as a unique identifiers for individual backups. The data leak can be combined with another weak validation in the maybe_download_backup_from_email() function, to allow downloading of a backup. As WordPress backups will contain sensitive information, this is quite the problem. There are no known in-the-wild instances of this attack being used, but as always, update now to stay ahead of the game.

Continue reading “This Week In Security: Updraft, Termux, And Magento”

This Week In Security: NAME:WRECK, Signal Hacks Back, Updates, And More

April 23, 2021 by 9 Comments

NAME:WRECK is a collection of vulnerabilities in DNS implementations, discovered by Forescout and JSOF Research. This body of research can be seen as a continuation of Ripple20 and AMNESIA:33, as it builds on a class of vulnerability discovered in other network stacks, problems with DNS message compression.

Their PDF Whitepaper contains a brief primer on the DNS message format, which is useful for understanding the class of problem. In such a message, a DNS name is encoded with a length-value scheme, with each full name ending in a null byte. So in a DNS Request, Hackaday.com would get represented as [0x08]Hackaday[0x03]com[0x00]. The dots get replaced by these length values, and it makes for an easily parsable format.

Very early on, it was decided that continually repeating the same host names in a DNS message was wasteful of space, so a compression scheme was devised. DNS compression takes advantage of the maximum host/domain length of 63 characters. This max size means that the binary representation of that length value will never contain “1”s in the first two digits. Since it can never be used, length values starting with a binary “11” are used to point to a previously occurring domain name. The 14 bits that follow this two bit flag are known as a compression pointer, and represent a byte offset from the beginning of the message. The DNS message parser pulls the intended value from that location, and then continues parsing.

The problems found were generally based around improper validation. For example, the NetX stack doesn’t check whether the compression pointer points at itself. This scenario leads to a tight infinite loop, a classic DoS attack. Other systems don’t properly validate the location being referenced, leading to data copy past the allocated buffer, leading to remote code execution (RCE). FreeBSD has this issue, but because it’s tied to DHCP packets, the vulnerability can only be exploited by a device on the local network. While looking for message compression issues, they also found a handful of vulnerabilities in DNS response parsing that aren’t directly related to compression. The most notable here being an RCE in Seimens’ Nucleus Net stack. Continue reading “This Week In Security: NAME:WRECK, Signal Hacks Back, Updates, And More”

Up Your Home Network Performance – Build Your Own Router!

June 19, 2020 by 118 Comments

Internet connections continue to increase in speed, and for a lucky few, it’s possible to get a Gigabit fibre connection at home. However, if you’re intending to use this connection to its fullest, you might find that your off-the-shelf router has become a bit of a bottleneck. [Wes Fenlon] of PC Gamer had this very problem, and found the perfect workaround – building a custom router instead!

The main problem with commodity routers is a lack of processing power. With networks growing ever faster, the hardware in routers hasn’t kept up with the needs of demanding power users. To solve this, [Wes] grabbed an old PC he had lying around, packing a quad-core i5 CPU and 16 GB of RAM. Fitted with an enterprise-grade 4-port Gigabit LAN card, and running Netgear’s  (Sorry commenteers!) Netgate’s pfSense routing software, the old machine has enough power to be complete overkill for the application.

The side benefit of this method is configurability. pfSense has a far more powerful set of options than most common routers. It’s config page also runs far more smoothly, too. There’s also the possibility to run all sorts of useful plugins, like router-level ad blockers and traffic monitoring utilities.

Overall, it’s a great way to repurpose a surplus machine and improve your network performance on the cheap. Others have tried similar builds, too. It has us contemplating the possibilities for our own networks at home!

Broken Yoga Becomes Firewall

April 17, 2017 by 14 Comments

It seems the older I get, the density of broken and/or old laptops on my garage grows. That’s one of the reasons it’s interesting to know which projects are being made to bring back to life these things. [zigzagjoe] sent us an interesting project he made out of a Lenovo Yoga 2 motherboard: a pfsense router/firewall.

The laptop was damaged, but the main board was functioning just fine. What started as adding an old Pentium heatsink to it and see how good it would work, escalated to a fully working, WiFi, 4 port gigabyte NIC, 3D printed case firewall. The board had PCI-E via an M.2 A/E key slot for the WiFi module but [zigzagjoe] need a normal PCI-E slot to connect the quad-port NIC. He decided to hand solder the M.2 A/E (WiFi card) to have a PCI-E 1x breakout since his searches for an adapter came out empty or too expensive. For storage, he chose 16GB SanDisk U100 Server half-slim SSD for its power efficiency. Once again, the SSD cable had to be hacked as the laptop originally used a super-slim HDD with a non-standard connector. The enclosure was then designed and 3D printed.

But [zigzagjoe] went further to optimize his brand new router/firewall. On the project documentation, we can see a lot of different modifications went into building it, such as bios modification for new WiFi modules to work, an Attiny85 fan driver for extra cooling, a 45W PSU inside the case and other interesting hacks.

This is not your typical laptop to firewall hack, that’s for sure.

Continue reading “Broken Yoga Becomes Firewall”